SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce
Campaign
Summary
Hide ▲
Show ▼
A SideWinder campaign used four waves of spear-phishing from March through September 2025, reaching a European embassy in New Delhi and organizations in Sri Lanka, Pakistan, and Bangladesh. The operation matters because it pairs diplomatic targeting with espionage-focused malware delivery, raising the risk of credential theft and hidden access. It also shows a shift to a PDF and ClickOnce infection chain layered on top of earlier Word-based tradecraft.
Related Happenings
WhatsApp VBScript attachment distribution campaign
Campaign
H score42
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript attachment distribution campaign
CampaignAbout this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
H score26
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
CampaignAbout this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
H score22
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
Latest development: 29.06.2026 18:03
Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
Campaign
H score38
First: 01.04.2026 15:36
Last: 01.04.2026 15:36
Sources 1
About this happening:
**Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
CampaignAbout this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
Evasive Panda DNS poisoning MgBot espionage campaign
Campaign
H score33
First: 26.12.2025 16:44
Last: 26.12.2025 16:44
Sources 1
About this happening:
**Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
Evasive Panda DNS poisoning MgBot espionage campaign
CampaignAbout this happening: **Evasive Panda** ran a **highly targeted cyber espionage campaign** that used **DNS poisoning** to deliver **MgBot** to victims in **Türkiye, China, and India**. The operation wa...
Timeline
-
28.10.2025 06:01 1 articles · 8mo ago
SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce
Initial DisclosureThe initial phase began with **spear-phishing emails** sent in **four waves** from **March through September 2025**. Early lures used **PDF** and **Microsoft Word** documents to pull targets into the infection chain.
Show sources
- SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats — thehackernews.com — 28.10.2025 06:01